How Russian Hackers Broke Into John Podesta’s Gmail Accounts

According to Motherboard, the Russian hacking group Fancy Bear was responsible for the hacks on John Podesta.

John Podesta is the Chairman of the 2016 Hillary Clinton presidential campaign. He previously served as Chief of Staff to President Bill Clinton and Counselor to President Barack Obama. The leaked emails of his are arguably more important, if not juicy, than those of Hillary Clinton, Colin Powell and others of the Democratic National Committee (DNC).

SecureWorks, an enterprise security company, tracked Fancy Bear’s command and control servers and uncovered who Fancy Bear targeted and how they were able to hack Podesta’s Gmail account.

On March 19 of this year, John Podesta received an alarming email that appeared to come from Google. The email apparently didn’t come from the internet giant. It was actually an attempt to hack into his personal account. Months later, on October 9, WikiLeaks began publishing thousands of Podesta’s hacked emails. Almost everyone immediately pointed the finger at Russia, who is suspected of being behind a long and sophisticated hacking campaign that has the apparent goal of influencing the upcoming US elections.

They identified approximately 3,900 targeted individuals in government, the military, people who worked for companies in military and government supply chains, journalists, people who worked for the DNC and member’s of Hillary Clinton’s campaign organization like Podesta. Fancy Bear used a spear-phishing campaign to attack their victims.

All these hacks were done using the same tool: malicious short URLs hidden in fake Gmail messages. And those URLs, according to a security firm that’s tracked them for a year, were created with Bitly account linked to a domain under the control of Fancy Bear.

Inside that long URL, there’s a 30-character string that looks like gibberish but is actually the encoded Gmail address of John Podesta. According to Bitly’s own statistics, that link, which has never been published, was clicked two times in March.

That’s the link that opened Podesta’s account to the hackers, a source close to the investigation into the hack confirmed to Motherboard.